mirror-bot/pleroma
1
0
Fork 0
mirror of https://git.pleroma.social/pleroma/pleroma.git synced 2026-02-15 17:16:57 +00:00
Code Packages 1 Activity

Merge branch 'fix-oauth-app-registration' into 'develop'

Browse source 
Change redirect_uris to accept array of strings

See merge request pleroma/pleroma!4423
This commit is contained in:
lain 2026-01-16 10:21:41 +00:00
commit 09aad75b33
6 changed files with 87 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

1
changelog.d/oauth-registration-redirect_uris.fix Normal file
View file

@ -0,0 +1 @@
Fix OAuth app registration to accept `redirect_uris` as an array of strings (RFC 7591), while keeping backwards compatibility with string input.

14
lib/pleroma/web/api_spec/operations/admin/o_auth_app_operation.ex
View file

@ -123,7 +123,10 @@ defmodule Pleroma.Web.ApiSpec.Admin.OAuthAppOperation do
name: %Schema{type: :string, description: "Application Name"}, name: %Schema{type: :string, description: "Application Name"},
scopes: %Schema{type: :array, items: %Schema{type: :string}, description: "oAuth scopes"}, scopes: %Schema{type: :array, items: %Schema{type: :string}, description: "oAuth scopes"},
redirect_uris: %Schema{ redirect_uris: %Schema{
type: :string, oneOf: [
%Schema{type: :string},
%Schema{type: :array, items: %Schema{type: :string}}
],
description: description:
"Where the user should be redirected after authorization. To display the authorization code to the user instead of redirecting to a web page, use `urn:ietf:wg:oauth:2.0:oob` in this parameter." "Where the user should be redirected after authorization. To display the authorization code to the user instead of redirecting to a web page, use `urn:ietf:wg:oauth:2.0:oob` in this parameter."
}, },
@ -141,7 +144,7 @@ defmodule Pleroma.Web.ApiSpec.Admin.OAuthAppOperation do
}, },
example: %{ example: %{
"name" => "My App", "name" => "My App",
"redirect_uris" => "https://myapp.com/auth/callback", "redirect_uris" => ["https://myapp.com/auth/callback"],
"website" => "https://myapp.com/", "website" => "https://myapp.com/",
"scopes" => ["read", "write"], "scopes" => ["read", "write"],
"trusted" => true "trusted" => true
@ -157,7 +160,10 @@ defmodule Pleroma.Web.ApiSpec.Admin.OAuthAppOperation do
name: %Schema{type: :string, description: "Application Name"}, name: %Schema{type: :string, description: "Application Name"},
scopes: %Schema{type: :array, items: %Schema{type: :string}, description: "oAuth scopes"}, scopes: %Schema{type: :array, items: %Schema{type: :string}, description: "oAuth scopes"},
redirect_uris: %Schema{ redirect_uris: %Schema{
type: :string, oneOf: [
%Schema{type: :string},
%Schema{type: :array, items: %Schema{type: :string}}
],
description: description:
"Where the user should be redirected after authorization. To display the authorization code to the user instead of redirecting to a web page, use `urn:ietf:wg:oauth:2.0:oob` in this parameter." "Where the user should be redirected after authorization. To display the authorization code to the user instead of redirecting to a web page, use `urn:ietf:wg:oauth:2.0:oob` in this parameter."
}, },
@ -175,7 +181,7 @@ defmodule Pleroma.Web.ApiSpec.Admin.OAuthAppOperation do
}, },
example: %{ example: %{
"name" => "My App", "name" => "My App",
"redirect_uris" => "https://myapp.com/auth/callback", "redirect_uris" => ["https://myapp.com/auth/callback"],
"website" => "https://myapp.com/", "website" => "https://myapp.com/",
"scopes" => ["read", "write"], "scopes" => ["read", "write"],
"trusted" => true "trusted" => true

5
lib/pleroma/web/api_spec/operations/app_operation.ex
View file

@ -97,7 +97,10 @@ defmodule Pleroma.Web.ApiSpec.AppOperation do
properties: %{ properties: %{
client_name: %Schema{type: :string, description: "A name for your application."}, client_name: %Schema{type: :string, description: "A name for your application."},
redirect_uris: %Schema{ redirect_uris: %Schema{
type: :string, oneOf: [
%Schema{type: :string},
%Schema{type: :array, items: %Schema{type: :string}}
],
description: description:
"Where the user should be redirected after authorization. To display the authorization code to the user instead of redirecting to a web page, use `urn:ietf:wg:oauth:2.0:oob` in this parameter." "Where the user should be redirected after authorization. To display the authorization code to the user instead of redirecting to a web page, use `urn:ietf:wg:oauth:2.0:oob` in this parameter."
}, },

23
lib/pleroma/web/o_auth/app.ex
View file

@ -31,9 +31,32 @@ defmodule Pleroma.Web.OAuth.App do
@spec changeset(t(), map()) :: Ecto.Changeset.t() @spec changeset(t(), map()) :: Ecto.Changeset.t()
def changeset(struct, params) do def changeset(struct, params) do
params = normalize_redirect_uris_param(params)
cast(struct, params, [:client_name, :redirect_uris, :scopes, :website, :trusted, :user_id]) cast(struct, params, [:client_name, :redirect_uris, :scopes, :website, :trusted, :user_id])
end end
defp normalize_redirect_uris_param(%{} = params) do
case params do
%{redirect_uris: redirect_uris} when is_list(redirect_uris) ->
Map.put(params, :redirect_uris, normalize_redirect_uris(redirect_uris))
%{"redirect_uris" => redirect_uris} when is_list(redirect_uris) ->
Map.put(params, "redirect_uris", normalize_redirect_uris(redirect_uris))
_ ->
params
end
end
defp normalize_redirect_uris(redirect_uris) when is_list(redirect_uris) do
redirect_uris
|> Enum.filter(&is_binary/1)
|> Enum.map(&String.trim/1)
|> Enum.reject(&(&1 == ""))
|> Enum.join("\n")
end
@spec register_changeset(t(), map()) :: Ecto.Changeset.t() @spec register_changeset(t(), map()) :: Ecto.Changeset.t()
def register_changeset(struct, params \\ %{}) do def register_changeset(struct, params \\ %{}) do
changeset = changeset =

22
test/pleroma/web/admin_api/controllers/o_auth_app_controller_test.exs
View file

@ -57,6 +57,28 @@ defmodule Pleroma.Web.AdminAPI.OAuthAppControllerTest do
} = response } = response
end end
test "success with redirect_uris array", %{conn: conn} do
base_url = Endpoint.url()
app_name = "Trusted app"
response =
conn
|> put_req_header("content-type", "application/json")
|> post("/api/pleroma/admin/oauth_app", %{
name: app_name,
redirect_uris: [base_url]
})
|> json_response_and_validate_schema(200)
assert %{
"client_id" => _,
"client_secret" => _,
"name" => ^app_name,
"redirect_uri" => ^base_url,
"trusted" => false
} = response
end
test "with trusted", %{conn: conn} do test "with trusted", %{conn: conn} do
base_url = Endpoint.url() base_url = Endpoint.url()
app_name = "Trusted app" app_name = "Trusted app"

27
test/pleroma/web/mastodon_api/controllers/app_controller_test.exs
View file

@ -61,6 +61,33 @@ defmodule Pleroma.Web.MastodonAPI.AppControllerTest do
assert app.user_id == nil assert app.user_id == nil
end end
test "creates an oauth app with redirect_uris array", %{conn: conn} do
app_attrs = build(:oauth_app)
conn =
conn
|> put_req_header("content-type", "application/json")
|> post("/api/v1/apps", %{
client_name: app_attrs.client_name,
redirect_uris: [app_attrs.redirect_uris]
})
[app] = Repo.all(App)
expected = %{
"name" => app.client_name,
"website" => app.website,
"client_id" => app.client_id,
"client_secret" => app.client_secret,
"id" => app.id |> to_string(),
"redirect_uri" => app.redirect_uris,
"vapid_key" => Push.vapid_config() |> Keyword.get(:public_key)
}
assert expected == json_response_and_validate_schema(conn, 200)
assert app.user_id == nil
end
test "creates an oauth app with a user", %{conn: conn} do test "creates an oauth app with a user", %{conn: conn} do
user = insert(:user) user = insert(:user)
app_attrs = build(:oauth_app) app_attrs = build(:oauth_app)